Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-250: Improve/cleanup VXLAN decapsulation support

Browse source 
* Better parsing/error-checking of VXLAN and encapsulated packet headers

* Add/implement the "vxlan_packet" event

* Add "Tunnel::vxlan_ports" option to tune the set of VXLAN ports to
  analyze/decapsulate

* Add "Tunnel::validate_vxlan_checksums" option to allow for tuning of how
  checksums associated with the outer UDP header of a possible VXLAN
  tunnel are handled

Fixes GH-250
This commit is contained in:
Jon Siwek 2019-03-12 18:09:28 -07:00
parent f4088be8a6
commit 09ae539ea8
23 changed files with 206 additions and 243 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/base/frameworks/tunnels/main.bro
View file

@ -85,7 +85,6 @@ export {
const ayiya_ports = { 5072/udp };
const teredo_ports = { 3544/udp };
const gtpv1_ports = { 2152/udp, 2123/udp };
const vxlan_ports = { 4789/udp };
redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports };
event bro_init() &priority=5
@ -94,8 +93,8 @@ event bro_init() &priority=5
Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
}
function register_all(ecv: EncapsulatingConnVector)

12
scripts/base/init-bare.bro
View file

@ -4857,6 +4857,18 @@ export {
## How often to cleanup internal state for inactive IP tunnels
## (includes GRE tunnels).
const ip_tunnel_timeout = 24hrs &redef;
## Whether to validate the checksum supplied in the outer UDP header
## of a VXLAN encapsulation. The spec says the checksum should be
## transmitted as zero, but if not, then the decapsulating destination
## may choose whether to perform the validation.
const validate_vxlan_checksums = T &redef;
## The set of UDP ports used for VXLAN traffic. Traffic using this
## UDP destination port will attempt to be decapsulated. Note that if
## if you customize this, you may still want to manually ensure that
## :bro:see:`likely_server_ports` also gets populated accordingly.
const vxlan_ports: set[port] = { 4789/udp };
} # end export
module Reporter;